[libvirt] [PATCH 0/2] Improve security hardening of binaries

From: "Daniel P. Berrange" <berrange redhat com>

To: libvir-list redhat com

Subject: [libvirt] [PATCH 0/2] Improve security hardening of binaries

Date: Wed, 3 Apr 2013 12:41:44 +0100

Fedora has a "hardened build" option in RPM specfiles:
https://fedoraproject.org/wiki/Packaging:Guidelines#PIE
While we could enable that in the RPM, this would only
apply to Fedora. Thus these patches directly integrate
it in libvirt's configure.ac / Makefile.am files.
With these 2 patches all executables gain -fPIE and
-z relro -z now.
Using the checksec.sh script from
http://www.trapkit.de/tools/checksec.html
We can see the difference, before:
$ ~/checksec.sh --file /usr/sbin/libvirtd
'RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/sbin/libvirtd
After
$ ~/checksec.sh --file /usr/sbin/libvirtd
'RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH /usr/sbin/libvirtd